Gnosis is responding to an active security incident affecting Gnosis Pay after co-founder Martin Köppelmann warned users about a bug tied to the platform’s delay module. The first public warning was posted on June 1, 2026, when Köppelmann said users should withdraw EURe and GNO from Gnosis Pay; he later deleted that withdrawal instruction and said most users would not be able to withdraw while containment work continued.
Blockchain security firm PeckShield amplified the warning on June 1, 2026, saying an active exploit was related to Gnosis Pay and urging users to check their exposure. No final loss figure, affected-account count or completed technical postmortem has been published in the sources reviewed, so the scope of the incident remains unresolved.
Zodiac Delay Module Becomes the Focus
Köppelmann later clarified that the bug is related to the Zodiac Delay Module, and said the attacker could initiate transactions from Safes configured with that module. That update was posted on June 1, 2026, and also said Gnosis was taking containment steps, including asking bridge validators to pause activity.
Unfortunately, there is a hack related to @gnosispay and the "delay module".
Please be patient while we try to contain the damage. Rest assured, Gnosis will cover all user losses.— koeppelmann (@koeppelmann) June 1, 2026
Gnosis Pay’s own documentation says user accounts are Safe accounts with a Delay Module and a Roles Module attached. The Delay Module is designed to add a three-minute delay to outgoing transactions, while the Roles Module defines spending rules such as token selection, daily limits and approved recipients.
That context matters because the affected component was meant to serve as part of the account-safety layer. The exploit does not currently read as a confirmed failure of all Safe accounts or all Gnosis infrastructure, but as an active issue involving Safes using the relevant delay-module configuration.
Losses and Bridge Status Remain Pending
Köppelmann said Gnosis would cover user losses and later added that the team believed it could contain most of the damage. That is a reimbursement commitment from Gnosis leadership, not a confirmed recovery total, because the team has not yet published a final accounting of drained funds or affected users.
The bridge intervention is also a containment measure, not a completed resolution. Asking bridge validators to pause related activity may limit cross-chain movement of affected funds, but the public updates reviewed do not confirm that all malicious activity has stopped or that every impacted asset has been secured.
The clean editorial framing is that Gnosis Pay is dealing with an active exploit tied to the Zodiac Delay Module, with EURe and GNO exposure specifically flagged by public warnings. Until Gnosis publishes a postmortem, the attack vector, loss total, affected wallets and final remediation plan should remain marked as pending.